How can you put a backdoor into an encryption algorithm? Are there any techniques that can be used to reduce the time it takes to break a key?

I am looking for practical examples encryption schemes that have backdoors, because they were designed to or new techniques exposed them. It is my understanding that you can use a lack of entropy and diffusion in block ciphers which will reduce the necessary time that it takes to break a key. This is especially true with s-boxes, which can be designed to not increase the strength of the key. As for one-way algorithms, using none-primes can make it easier to reverse keys. What are other decisions that can be made to make a broken encryption algorithm?

The goal is find examples that can be used for encryption pedagogy, by collecting a sample of weak ciphers to practice on.

To what end? I can't think of any valid reason to do this. Intentionally building a broken system? Beyond the potential legal issues, there are certainly ethical issues, especially if you intend to force people to use your "encryption". And if you don't force them, who in their right mind would choose to. Mental note: never use software from Spike Code. :P
–
nicerobotFeb 26 '12 at 16:00

1

I suggest that you rephrase your question if you really meant to ask e.g. how to detect potential back doors when analyzing algorithms someone else has written.
–
Henrick HellströmFeb 26 '12 at 17:37

@mikeazo, Yes, Schneier's paper does provide some insight into cryptanalysis, by means of exposing progressively harder ciphers and methods to break them. This, I think, provides a level of understanding to go back and find weakness in ciphers and how to take advantage of weaknesses. However, it still appears more of an art to me rather then a science. Also, there seems to be plenty of research on how to avoid nothing up my sleeve numbers (en.wikipedia.org/wiki/Nothing_up_my_sleeve_number) -- but very little on how to implement and exploit them.
–
Goose3ggFeb 27 '12 at 1:37

1

I think that the best way for you to practice breaking cryptosystems is to follow Schneier's course. You could also design your own cryptosystem - which will almost certainly contain holes, just like every other system :) - without deliberately introducing vulnerabilities, and try to break that. Introducing a vulnerability then exploiting it to break the cryptosystem seems a bit pointless. You would already know what to look for...
–
Edward BowlesFeb 27 '12 at 9:28

One thing you will notice when going through Schneier's course (or when looking at cryptanalysis research in general) is that a lot of times it is helpful to restrict the block cipher by decreasing the number of rounds. Decrease the number of rounds enough, and every block cipher is probably breakable. This will teach you a lot.

Once you are familiar with standard cryptanalysis techniques, it shouldn't be too hard to come up with a cipher that is breakable (where you'll know how to break it).

You've asked two different questions here: Q1: how to put a trapdoor in a block cipher, and Q2: examples of block ciphers that are good for learning block cipher cryptanalysis. @mikeazo has answered question Q2 well. I'm going to answer question Q1.

For an example of how to put a hidden backdoor (trapdoor) in a block cipher, see the following research paper:

This manuscript by Warren Smith claims to outline an approach to having a (otherwise very good) block cipher with a trapdoor.

The idea is something like the following: Linear cryptanalysis has you make linear approximations of the S-boxes and then solve a noisy system of equations by getting lots of samples (known plaintext pairs). But this linear system of equations can apparently be solved even more easily if you know some additional (hard-to-compute) properties, like the minimum distance of its associated linear code. Furthermore, since the linear system is just an approximation of the cipher anyway, it's not unique to the cipher. That means you just need to find one linear approximation that has low enough minimum distance.

So to build a block cipher with a trapdoor (apparently), you need to work in reverse. Find a (known) linear system with low minimum distance. Find "random-looking" S-boxes for which the linear system gives a decent approximation, and use these for the actual cipher. If the S-boxes are random-looking, you would conceivably get a block cipher that is resistant to known cryptanalysis methods (e.g., linear, differential).

Anyway, this is what the paper purports to claim. I have not read it in painstaking detail, so don't take this as a full endorsement of the claims. It seems to me like the claimed results would be quite important, and yet this paper is unpublished and is barely cited. That may be an indication that there are some serious flaws, I honestly don't know.